Re: Question on SSL certificate expiry
| От | Nikhil Shetty |
|---|---|
| Тема | Re: Question on SSL certificate expiry |
| Дата | |
| Msg-id | CAFpL5Vyf0Z25seOvH3aCqAc-tzPYKUd9s4Xq9MYn1OpC9=m7Mg@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Question on SSL certificate expiry (Tom Lane <tgl@sss.pgh.pa.us>) |
| Ответы |
Re: Question on SSL certificate expiry
|
| Список | pgsql-admin |
Hi Tom,
We are using verify-full on both client and server.
Server Side pg_hba.conf
hostssl all <user> <ip> cert clientcert=1
Server Side SSL
postgres=# show ssl_cert_file ;
ssl_cert_file
--------------------------------------
/data/server.cert
postgres=# show ssl_ca_file ;
ssl_ca_file
---------------------------------------------
/data/ca-cert.pem
postgres=# show ssl_key_file ;
ssl_key_file
-------------------------------------
/data/server.key
Client side SSL
export PGSSLROOTCERT="ca.pem"
export PGSSLMODE="verify-full"
export PGSSLCERT="cert.pem"
export PGSSLKEY="cert.key"
Thanks,
Nikhil
On Thu, Jun 1, 2023 at 6:37 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Nikhil Shetty <nikhil.dba04@gmail.com> writes:
> We were using MTLS to connect to the database. We noticed that even after
> server certificates expired the client was able to connect to the database.
> 1. Doesn't postgres check the expiry date of the certificate?
Postgres does not. The openssl library can. The most likely
guess, on the basis of the next-to-zero details you provided,
is that the connection is succeeding via some method that doesn't
require the client to check the server's certificate --- for
instance, a completely unencrypted connection.
regards, tom lane
В списке pgsql-admin по дате отправления: